MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77acad55f36e96de7a8d2d37abc8faee5795196c67a89ae0b283f9076ea45c51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77acad55f36e96de7a8d2d37abc8faee5795196c67a89ae0b283f9076ea45c51
SHA3-384 hash: bf2e0ea1e33e4201e78aca4629a67e2d4cae6ce6777afc0d931650434844417ca23b42d9a0f9b5e02e45137d8a575b64
SHA1 hash: d03cc28af3ca143ef308bb8bbf11bdfa76b8118c
MD5 hash: 487def2d050ef8844a197e363c931f0b
humanhash: winner-nevada-alanine-arizona
File name:IMG6690-05-2020 BANK ORDER SCAN COPIES.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'477'632 bytes
First seen:2020-05-18 12:52:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:jCdxte/80jYLT3U1jfsWaSlGBYsY2d9afvmXnxwVV+HPTWVgoqaQUQ:qw80cTsjkWaSlk+2XnmVVCPTmrqa6
Threatray 2'193 similar samples on MalwareBazaar
TLSH 7865D02273DDC361CB769173BF69B7017EBB78610630B85B2F880D7DA950162262DB63
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail.eldorado.com.uy
Sending IP: 190.64.204.54
From: Claudia Mendaro <cmendaro@eldorado.com.uy>
Subject: Fwd: WIRE ORDER No 6942 *BST E010-07976
Attachment: IMG6690-05-2020 BANK ORDER SCAN COPIES.rar (contains "IMG6690-05-2020 BANK ORDER SCAN COPIES.exe")

Loki C2:
http://mecharnise.ir/da9/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 14:22:00 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6wk2vptn2ln46unfu32xsh25zlzkglmm6ujvyfsqp4qo3velriq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00372c59a05ba9cce6ab5a40b28e8bd7db5a284e019dbaaaccf30408ec14f26f
Loki
1fc07dd40ce54a5f60fd732d7cef7e8021ef21971fe7027ffdf524f326c59ac8
Loki
2773ca0f617c527ecacc2ab05f488ad9bb4875816d8f934e920bcbc40dd3f604
Loki
61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4
Loki
7e784491a41c322df63b093c3966bc9c0d209e66706c890a4803b39de0dec51d
Loki
925f7ac6e0ab0911c0cd801094f7d22e407ab69755173d6a38fb4f325bb160f5
Loki
9322b0f3acdb180dc3ff81c0cf648b26c294caddcb550a18296941d302519274
Loki
c46c893972a4e58ca13bd9751cad2e962d0a8d6b59e2a5d061250c1b79fbafed
Loki
d2857b888fbab6dc4e36c403e86f39fedee428ba5ed45b28b8f99e59fb93ff58
Loki
e6c6e7d2f285d7248b7b8e2e4db1aa8340f967ff3f45a6a4c35165e24d3ff9a2
Loki
+ 2'183 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-fds9qtb9r2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://mecharnise.ir/da9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 48290438a9422960ffc63c428a9645de43d2a9a0cda9f35b0d37ac32a232ccc7

Loki

Executable exe 77acad55f36e96de7a8d2d37abc8faee5795196c67a89ae0b283f9076ea45c51

(this sample)

  
Dropped by
MD5 acbde86c9bef655fef24a316a7ee0bc8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 48290438a9422960ffc63c428a9645de43d2a9a0cda9f35b0d37ac32a232ccc7

Comments